Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This threat is a variant of the Mirai botnet malware, which infects Linux-based systems like IoT devices and routers. It adds the compromised device to a botnet used for launching large-scale Distributed Denial-of-Service (DDoS) attacks. The detection is based on machine learning behavioral analysis, indicating activity consistent with the Mirai family.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_KY_2147939801_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.KY!MTB"
threat_id = "2147939801"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {8f 99 83 6c 27 a4 00 18 24 05 00 01 12 00 00 08 02 40 30 21 03 20 f8 09 00 00 00 00 24 03 00 01 8f bc 00 10 10 43 ff f6 26 10 ff ff 26 10 00 01 02 30 10 23 8f bf 00 2c 8f b2 00 28 8f b1 00 24 8f b0 00 20 03 e0 00 08 27 bd 00 30} //weight: 1, accuracy: High
$x_1_2 = {82 03 00 00 00 00 00 00 10 60 00 03 24 02 00 25 14 62 ff fa 00 00 00 00 12 04 00 0c 02 04 88 23 1e 20 00 03 02 20 28 21 10 00 00 06 00 00 10 21 8f 99 83 6c 00 00 00 00 03 20 f8 09 02 c0 30 21 8f bc 00 18} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}bd01008034661874e60f933eae3f615035b399696ec81bc9b6613d6864a95082493b84a1f016972afabb32695bbe869635a74a3323f983250ac3e1084ec98c59Immediately isolate the affected device from the network. Reboot the device and perform a factory reset to remove the malware. Change all default credentials to strong, unique passwords and update the device firmware to the latest version.